Category: IT Audit (Page 12 of 13)

Advisory on Badlock Vulnerability

April 15, 2016 / pkfavantedge / 0 Comments

badlock

This is a security advisory on the Badlock Bug.

What is Badlock?

Samba is an important component to seamlessly integrate Linux/Unix Servers and Desktops into Active Directory environments. It can function both as a domain controller and as a regular domain member. On April 12th, 2016 Badlock, a crucial security bug in Windows and Samba was disclosed. The security vulnerabilities can be mostly categorized as man-in-the-middle or denial of service attacks.

Man-in-the-middle (MITM) attacks:

There are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrary Samba network calls using the context of the intercepted user. Impact examples of intercepting administrator network traffic:

Samba AD server – view or modify secrets within an AD database, including user password hashes, or shutdown critical services.
Standard Samba server – modify user permissions on files or directories.

Denial-of-Service (DoS) attacks:

Samba services are vulnerable to a denial of service from an attacker with remote network connectivity to the Samba service. Microsoft has addressed this in MS16-047. This vulnerability can be used to login as another user for applications that use the SAMR or LSAD protocol. All versions of Windows are affected.

Who is Vulnerable?

Samba Application running on Linux/Unix Systems

3.6.x,
4.0.x,
4.1.x,
4.2.0-4.2.9,
4.3.0-4.3.6,
4.4.0

Windows

All supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

Associated CVEs

Badlock for Samba is referenced by CVE-2016-2118 (SAMR and LSA man in the middle attacks possible) and for Windows by CVE-2016-0128 / MS16-047 (Windows SAM and LSAD Downgrade Vulnerability).

There are additional CVEs related to Badlock. Those are:

CVE-2015-5370 (Multiple errors in DCE-RPC code)
CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
CVE-2016-2112 (LDAP client and server don’t enforce integrity)
CVE-2016-2113 (Missing TLS certificate validation)
CVE-2016-2114 (“server signing = mandatory” not enforced)
CVE-2016-2115 (SMB IPC traffic is not integrity protected)

How to check if server is vulnerable?

A server is vulnerable to BADLOCK if:

It is running any of the above mentioned versions of SAMBA
For vulnerable Windows versions refer the following link:

https://technet.microsoft.com/library/security/MS16-047

How to fix

For Samba service running on Linux/Unix systems, apply the patches provided by the Samba Team and SerNet for EnterpriseSAMBA / SAMBA+ immediately.

Patched versions are (both the interim and final security release have the patches):

4.2.10 / 4.2.11,
4.3.7 / 4.3.8,
4.4.1 / 4.4.2.

For Windows Installations, refer following link for patch details:

https://technet.microsoft.com/library/security/MS16-047

References and Useful Links

http://badlock.org/

https://www.samba.org/samba/latest_news.html#4.4.2

https://www.samba.org/samba/security/CVE-2016-2118.html

https://technet.microsoft.com/library/security/MS16-047

For more information or a vulnerability scan, please contact us at avantedge@pkfmalaysia.com.

The Myths of the Top 10 Myths of PCI-DSS

April 9, 2016 / pkfavantedge / 0 Comments

pci-compliance

A while back, the PCI council published a good article called the Ten Common Myths of PCI-DSS, to basically debunk a few conclusions people (or so they think) might have on PCI-DSS.

After wading deep into this standard for the past 6 years, I am taking a look again at these myths and I am like, Wait a minute, this isn’t exactly correct.

Myth 1 – One vendor and product will make us compliant

This myth is hard to beat. It’s obvious that one vendor and one product doesn’t make anybody compliant since PCI-DSS is so much more than a product or an implementation. It’s the practice of security within an organisation itself. But wait. Not all PCI projects are created equal, and here’s where we call ‘scope reduction’ comes into play. It is possible that a product can significantly reduce scope so much so that it’s almost easy to become compliant. For instance, tokenization. This is a solution created to remove the need of dealing and storing actual card data in a merchant environment. Instead a token is used and is mapped in the token vault provided by a service provider. Hence, the merchant does not have the key or means to decrypt. Of course, they still handle the first time card data is transmitted through, but it removes the need of the merchant to completely fill the dreaded SAQ D-MER as they no longer need to store card data. Or P2PE for instance. When it started, the solution was to provide a point to point encryption so that merchants need not have the means to manage the keys or decrypt the data. Of course, P2PE bombed and they had to revise the standard to make it more realistic.

Myth 2 – Outsourcing card processing makes us compliant

Again – if you outsource card processing, it might not immediately make you compliant but it sure as heck make it a lot easier to be compliant! With the new revisions of SAQ, we have the nicely flavoured SAQ-A and SAQ A-EP for ecommerce merchants to deal with, to avoid the death knell of SAQ D-MER. There are like 9 flavours of SAQ (self assessment questionaire if you are wondering), and merchants might differ in their journey of PCI depending on their business. Outsourcing to a PCI compliant card processor or payment gateway is a great way to reduce your scope. So while this myth is correct, outsourcing is still a great strategy if payment processing is not your core business.

Myth 3 – PCI compliance is an IT project

Everyone will nod their head in the board room and steering com and agree to this one sagely. But from experience, I will tell you, whether it’s business or IT project – IT guys will be significantly involved in it. If you think you can breeze through this sucker the way you championed through ISO27001, you are in for a little surprise. A large part of the 12 requirements deal with technical requirements, from firewall configuration to antivirus to logical access controls. Logging and key management are significant challenges we find, and an entire requirement 6 deals with patch management and secure coding practices. So, if you are not familiar with terms like OWASP, KEK, DEK, WSUS, TACACS/ACS/LDAP, XSS, CSRF,CVE and all these, it’s time to get cracking. Having done both ISO27001 and PCI, we can say the ISO is more of a best practice/guideline on security while PCI is a standard. It’s either you do or do not. There is no try.

Myth 4 – PCI will make us secure

I know what this myth is trying to say, but technically, if you are practicing PCI, you are a heck lot more secure than someone that’s not. Besides, being ‘secure’ isn’t a final state to be – it’s not possible, but rather it should be a constant practice of a hundred different activities to contribute to ‘being secure’. It’s like when people talk about ‘enlightenment’ or ‘world peace’ – it’s not actually achievable – and even if it is – it’s not sustainable. So yes, PCI will make you secure , relative to the company that has their server under a marketing director’s desk and the password “PASSWORD”.

Myth 5 – PCI is unreasonable; it requires too much

Obviously, PCI Council wants you to think this (again, they are saying these are myths, so whatever you read, PCI Council is asking you to think opposite). They are saying, PCI is reasonable, it doesn’t require much.

I disagree.

It requires a lot.

I mean, OK, if you say SAQ A or A-EP, fine, agreed, it’s a breeze. But if you are talking about SAQ D or a full cert?

Unless you have unlimited resources, money, time or already practicing some Level 5 Maturity of security, then you need to really look into managing PCI. Most of our clients aren’t in that state, so when you talk to them about the amount of work needed? Oh boy.

Let’s say they have 40 devices in scope. Multiple applications, running on multiple servers. Several layers of firewalls. Firewall rules need to be clean. Sounds easier than it is. The amount of legacy rules we see in some clients would make you think that firewall has been around since the internet was invented. Server upgrades due to EOL. Network changes because the database is accessing the internet directly. Applications not patched. Devices not updated. Logging not centralised. No correlation of logs or event management. No incident management. No central management of passwords and users. Applications developed eons ago and developers have since left the company with the only document being a note saying, “Goodbye and thanks for all the fish!”. You get the drift.

Myth 5 and Myth 10 (PCI is too hard) is the same. When you put the word “TOO” in there, its brings in relativity. What is “TOO” to some companies? When you have a single administrator running the whole thing and he is dividing his time between this and a thousand other things, “TOO” might be the key phrase there. So, I won’t say it’s not possible for a full certification – it obviously is, since we have certified a number – but what we don’t want is our clients walking into PCI with expectations of breezing through and then get slammed like a deer in headlights. It will take effort. It will take resources. It will take money and it will take time. Yeah, time. Around 3 – 4 months if you are lucky for a full certifications. I often get a stunned look of disbelief and a general retort that goes like: “<insert invectives here>, I thought it would only take 2 – 4 weeks, man.”

Look – PCI is really useful and it’s not the intention to discourage people from going for it – but it would be great to be better informed so that expectations can be synced to reality. In the next article, we will cover the remaining myths of PCI.

The Usage of the PCI-DSS logo

January 26, 2016 / pkfavantedge / 4 Comments

Over recent weeks, we’ve been getting a lot of inquiries of PCI-DSS as it looks to pick up in Malaysia. From banks to financial institutions, to insurances, to data centers, BPOs and even software developers, this little compliance standard seems to be touching every part of the every verticals, as Malaysia (and the world) looks towards a society focused on cashless transactions.

More and more, in my meetings with partners and customers, we are seeing the usage of PCI-DSS Logos, and PCI-DSS Compliant symbols in their websites, in their presentation slides and marketing collateral. Unless it comes with a statement to it, for instance you are directly referencing the PCI-SSC in its logo usage, our suggestion is this: Stop using those logos. The SSC has already sent out a circular way back in 2011 addressing the profusion of these “I am PCI-Compliant”, PCI-compliant website seal, PCI-Certified Level 1 Logo etc..and they are basically saying: Unless you are a QSA, you are not allowed to use any of these logos for your own purposes.

Instead, we suggest to either have a link to your certification copy directly from your QSA. Many QSAs provide that and they can attest your compliance easily. This could be a link to the AoC (rare but like AWS, is possible), or simply a seal provided by the QSA (not PCI-DSS Logo seal), if your QSA provides it. All attestation should be QSA specific and not led to believe that the PCI-SSC directly endorses the site or company as PCI-DSS Certified.

I suppose this is to deter companies from falsely advertising their status. As we know, PCI-DSS is based on scope and location. By putting a PCI-DSS logo, it might lead customers to believe that the particular business process (for instance Manage Services) is PCI certified, whereas the actual certification is only on Physical Data Center services (example). Furthermore we have seen unscrupulous software companies advertising their solutions as ‘PA-DSS’ certified along with the logo, but when sold to our customers, is actually the version that is NOT certified, and therefore, our customers paid for something that is non-existent.

Be careful! And stop using PCI-DSS logo indiscriminately!

Here is the full statement direct from the PCI Council:

PKF Avant Edge is now HRDF certified training company

March 2, 2015 / pkfavantedge / 0 Comments

We are now a HRDF certified training company.

We have several training that is SBL claimable that includes training materials and certificate of attendance:

1) PCI-DSS Foundation Training (PCIP Led, QSA developed materials), certificate of training from PKF and our vendor QSA Control Case International

2) PCI-DSS Implementor Training (PCIP Led, QSA developed materials), certificate of training from PKF and joint QSA vendor Control Case International

3) GST Malaysia Training (Led by RMCD Certified Trainer)

3) Introduction to Technology Audit (Led by Certified Auditor and Certified Information Security Professional – CISA,CISSP)

5) Project Management Level 1: Foundations (Led by Project Management Professional Certified)

6) Project Management Level 2: Advance (Led by Project Management Professional Certified)

7) Personal Data Protection Act Training (Led by Certified Auditor and Certified Information Security Professional)

Stay tuned for more details. Our training site has been updated at http://www.pkfavantedge.com/training-programs/

If you need more information, please send your enquiries to training@pkfmalaysia.com.

PKF IT Opportunities

May 20, 2013 / pkfavantedge / 0 Comments

One of the main reasons we moved the IT advisory function out of internal audit was the fact that IT encompassed so much more than just doing an audit.

I believed in the exponential growth of IT based on the simple belief: IT is integral to efficient and effective businesses. Businesses that do not leverage on IT will go nowhere. So it only makes sense that IT will get more complex and more critical as each year goes by.

Back in 2010, PKF Malaysia realised this pattern. By staying stagnant and doing what the other firms were doing: Internal Auditors doing IT audits, we were going to simply die off. The first thing we realised was that, while Internal Auditors were OK doing IT audits, these were two different animals. We didn’t want to do checklist audits. We didn’t want someone doing IT audit who didn’t even know what the heck was an AAA server or how to do a simple VLAN config on a Cisco router. We didn’t want someone who would go up to the Audit Committee, put someone else’s career at stake by giving ridiculous recommendations and reports, based on ‘previous experience’ and ‘industry best practices’, when they don’t even know head or tail on what Active Directory is used for, or what’s the basics of DNS poisoning or IP spoofing. We needed serious technical people who have been on both customer and consulting end, and we needed to separate from the Internal Audit group….simply because we want an audit to be done differently.

We moved quickly into ISO27001 (ISMS) and PCI-DSS, we went through ISO27005 for risk assessment, we did COBIT 4.1 training and enablement and got everyone at least CISA certified. Most of us, like me, have multiple certs, for instance in IT forensics, IT ethical hacking, IT management, Project management and so forth.

We moved quickly to become MSC status to be a serious player in 2011, and we started strategic collaborations for different purposes. We joined workgroups with government and private agencies, opening channels to MOSTI, MIMOS, Bank Negara and so on, to conduct knowledge sharing sessions. For free. I am a great believer that contribution back to the industry should be done as part of our professional duty, and not as an engagement service.

So here we are, at the precipice of change. PKF itself has undergone some tremendous changes over 2012 and 2013. This week, we had our PKF Asia Pac Conference, where different countries got together, to explore different areas and opportunities. We’re excited, as we see the work we’ve done in the past 3 years to build our knowledge and reputation, possibly coming to fruition. I am also a big believer that PKF requires an IT function regionally. There should be a Center of Excellence, not just to do IT audit but to do Technical Services like penetration testing and forensics, or troubleshooting and service management; and also project management.

This is where we are. We still have a long way to go, but with the extension of our services into the other firms in PKF, we’re set to stay for a long while.

Here is the link to the presentation we did to the other PKF Firms last week.

PKF Avant Edge – Partner Presentation

Category: IT Audit (Page 12 of 13)

Advisory on Badlock Vulnerability

The Myths of the Top 10 Myths of PCI-DSS

The Usage of the PCI-DSS logo

PKF Avant Edge is now HRDF certified training company

PKF IT Opportunities

Recent Posts

Categories

Calendar

Disclaimer

November 2024
M	T	W	T	F	S	S
« Oct
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30